Date: Sat, 19 Apr 2003 10:34:49 -0600 From: Joe Lewis <joe@relia.net> To: Olivier Dony <olivier@blacktrap.net> Cc: Willie Viljoen <will@unfoldings.net> Subject: Re: Why does SSH prompt for 2 passwords? Message-ID: <3EA17AA9.8090404@relia.net> References: <3E9F2F25.1050103@relia.net> <200304181502.23207.will@unfoldings.net> <20030419104149.GA16454@naboo.blacktrap.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I am MOST appreciative of the tutorial on the matter that I have recieved. The explanations have been simple, straight foreward, and enlightening. Thank all, for the help and info you have provided. Joe Olivier Dony wrote: > On Fri, Apr 18, 2003 at 03:02:23PM +0200, Willie Viljoen wrote: > >>On Friday 18 April 2003 0:48, someone, possibly Joe Lewis, typed: >> >> >>>Password: >>>Response: >>>joe@192.168.1.1's password: >> >>The first prompt is PAM challenge response authentication. This uses the PAM >>system instead of a just a flat read of /etc/master.passwd to authenticate, >>and is also more secure than standard plaintext authentication. >> >>Unless your sshd is misconfigured, your configuration files and binaries are >>out of sync (this happend when a system is upgraded without doing >>mergemaster), this should not be happening, and you should be able to log >>in at the first prompt. It might also be that the ssh client you are using >>does not handle challenge response authentication properly. > > > Indeed and one thing you should check is whether you are not using SSH v1 by > mistake. This might happen if you are using it with arg -1 e.g : > > $ ssh -1 somehost.domain.tld > Password: > Response: > $ ssh -2 somehost.domain.tld > Password: > > or if your ssh client is setup to try SSH v1 first, eg if using FreeBSD's > one as it seem, that would be : > > Protocol 1,2 > > in the relevant part of your /etc/ssh/ssh_config, see ssh_config(5) for more > details. > > >>If you are happy with standard plaintext configuration, you may edit >>/etc/ssh/sshd_config and change the setting to this: >> >># Change to no to disable PAM authentication >>ChallengeResponseAuthentication no > > > This will do if you control the ssh server you are connecting to, but that > will only be a workaround and you probably want to fix the client problem, > as the same could happen on other hosts. > > >>I'd recommend you rather get PAM fixed though, or use public key >>authentication instead, that's much more secure than any form of password >>authentication. > > > I'd second on using public key authentication, as this will make remote > logins even faster, and more secure, provided that your private key is > properly secured. The ssh(1) man page explains it somewhat in the SSH protocol > version 2 section. > > Hope this helps. > > Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EA17AA9.8090404>